Network telemetry explained: Frameworks, applications & standards

Monitoring interface metrics will give you a partial overview of your network's performance. However, you sometimes need a deeper understanding. Welcome to network telemetry—a set of advanced techniques that enable you to gain a comprehensive grasp of what is happening within your computer networks.

Network telemetry involves monitoring a network's vital signs to assess and maintain the performance of your network infrastructure. By observing and analyzing data from various network devices and systems, network telemetry helps you detect and diagnose potential issues and optimize network performance.

Network telemetry defined

Network telemetry describes the practice of gathering and interpreting data related to traffic flows, network management information, and logs to gain insights into a network's performance and condition. This technique collects data from various sources including network hardware like switches and routers, servers, and the applications running on them.

The key aspects of network telemetry are:

• Data collection: This involves gathering data from various network components.
• Data processing: This entails refining and analyzing collected data for a thorough comprehension and actionable insights.
• Visualization and reporting: Processed data is often visualized in dashboards and reports to help network operators understand current network conditions and trends.
• Action and automation: In addition to notifying operators of issues, automated actions can alter configurations to fix problems without human intervention.

Network telemetry frameworks

A network telemetry framework is formally defined and extensively described in a proposal document called RFC 9232.

Organizations must abstract and merge data collected from various sources using different standards and techniques to apply machine learning (ML). To enable this, we must establish a framework that categorizes and arranges the different data sources and types.

Top-level modules

Network telemetry frameworks have four top-level modules. The first three are considered the three planes of a network device, while the fourth consists of data from external sources:

• Management plane: Encompasses protocols such as the Simple Network Management Protocol (SNMP) and Syslog, which offer vital information including data on network logging, performance, network statistics, network defects, and network alerts
• Control plane: Monitors network control protocols to ensure the health of every layer of the protocol stack; detects, localizes, and predicts real-time network issues, optimizing the network
• Forwarding plane (or data plane): Where high-speed telemetry of the actual traffic flows
• External data: Where event detectors analyze streams of logs from hardware and software that may be physically separate from the network infrastructure.

Second-level components

Each telemetry module consists of components responsible for five distinct functions:

• Data query, analysis, and storage: Responsible for issuing data requirements to network devices and receiving, processing, and storing returned data; e.g., your typical network monitoring application with distributed or centralized pollers
• Data configuration and subscription: Manages data subscriptions and queries to devices, determining the protocol and channel for each data acquisition; also manages the configuration of desired data from sources where it might not be readily available
• Data encoding and export: Regulates how telemetry data is transmitted to the analysis and storage component; encoding and transportation methods defined by the export destination
• Data generation and processing: Involves capturing raw data from hardware and then filtering, processing, and formatting it in network devices; often utilizes a fast or slow path for in-network computing and processing
• Data object and source: Identifies monitoring objects as well as original data sources, i.e., static or dynamic; raw data may require further processing

Data acquisition mechanism and type abstraction

Network data can be obtained via query (pull) and subscription (push). Queries are one-off requests with immediate feedback, while subscriptions establish ongoing contracts between subscribers and publishers.

After the subscriber registers, the publisher continuously delivers data until the subscription ends. Subscriptions offer greater efficiency than queries and can also decrease the latency of perceived changes.

The four different data types are:

• Static data: Readily available data
• Derived data: Data requiring processing or creation by amalgamating other data
• Event-triggered data: Data acquired due to an event or state change
• Streaming data: Continuously generated data, high-frequency metrics that often demand high bandwidth and CPU

Integrating current tools into a framework

A network telemetry framework's flexibility allows it to operate effectively in any network environment. However, collecting and analyzing data from multiple domains must be correlated and contextualized, synthesizing performance metrics across domains to provide meaningful insights.

Network telemetry applications

The field of network telemetry is constantly evolving. As a network progresses towards automated operation, network telemetry applications go through different stages of development, each with new requirements and possibilities.

Each stage builds upon the techniques used by the previous stages, introducing new requirements and opportunities for network monitoring and optimization:

• Stage 0: Static Telemetry — The data type and source are fixed during the design of network hardware and have limited configuration.
• Stage 1: Dynamic Telemetry — The dynamic programming of custom telemetry data at runtime—without disrupting the network operation—leads to valuable trade-offs between resources, performance, flexibility, and coverage.
• Stage 2: Interactive Telemetry — Telemetry data can be adjusted and customized in real time based on the desired level of visibility. Changes happen frequently compared to Stage 1 and in reaction to real-time feedback. Despite the presence of automation, manual intervention may still be needed.
• Stage 3: Closed-loop Telemetry — The operations engine of an artificially intelligent network will update network configurations by examining the requested telemetry data. There is no human intervention except for generating reports.

Real-world applications of network telemetry

Use cases for network telemetry range from enhancing network visibility to troubleshooting and optimizing network performance. Below are several critical applications that illustrate the value of network telemetry in various aspects of network management:

• Traffic analysis and management: Network telemetry enables detailed visibility into traffic patterns across a network.
• Security monitoring: Telemetry data helps identify any abnormal activity that points to a possible security threat.
• Root cause analysis: Telemetry provides a historical and real-time view of a network's performance data, allowing network engineers to trace issues back to their source.
• Predictive maintenance: By analyzing trends and patterns in telemetry data, predictive models can identify equipment at risk of failure, allowing preemptive replacement or repair.
• Capacity planning: Network telemetry provides the data necessary for effective capacity planning.

Network telemetry protocols and standards

Standards for telemetry protocols ensure compatibility between various hardware and software, guaranteeing that collected data is correct. Examples of these standard protocols include:

• SNMP: A very mature standard for pulling telemetry data
• Syslog: For pushing event logs to centralized collectors
• NetFlow, sFlow, and IPFIX: For streaming data about traffic passing through a device

Is OpenTelemetry the same as network telemetry?

OpenTelemetry is a set of tools, including APIs and SDKs, that can generate, collect, and examine application telemetry data, including metrics, logs, and traces. This data can help with software performance analysis.

OpenTelemetry could be considered network telemetry for software applications. However, it would be of limited use within a network telemetry framework.

Ensuring data privacy, security, and compliance in network telemetry practices

This is essential, given the sensitivity of the data involved and the potential consequences of data breaches or non-compliance with regulations. You must implement effective strategies and practices to safeguard telemetry data throughout its lifecycle—from collection and transmission to analysis and storage.

This topic is too vast to cover in this post, but here are some key aspects and best practices to consider:

• Minimize data
• Implement anonymization and pseudonymization
• Ensure user consent and transparency
• Practice encryption
• Implement access controls
• Perform regular audits and monitoring
• Adhere to legal and regulatory standards
• Develop and enforce policies
• Ensure data sovereignty
• Design secure architecture
• Practice data segmentation and isolation
• Boost resilience and incident response

Solutions to mitigate limitations posed by legacy systems

It is widely acknowledged that SNMP communication can be established with almost any network device, regardless of its age. However, older devices may only provide a limited set of metrics.

Legacy network hardware can also send Syslog data to at least one or sometimes more collectors for processing as an external source, albeit usually with less verbosity than we are used to today. You can also route traffic to pass through a server or network device that supports streaming NetFlow, sFlow, or IPFIX telemetry to monitor traffic flows.

In the end, replacing legacy network hardware is critical for organizations to enhance network performance and mitigate security vulnerabilities.

Summary

A network telemetry framework is a comprehensive system that integrates various technologies and practices to provide deep insights into network operations, facilitating efficient and effective network management.

Choosing a suitable telemetry framework depends heavily on the given network environment and its requirements. Organizations might use multiple frameworks to cover all aspects of network telemetry, from essential monitoring with SNMP to real-time performance analysis with streaming telemetry.

Going forward, networks will continue to expand in terms of both their size and complexity. In this environment, the role of network telemetry frameworks will be increasingly important in ensuring smooth and secure network operations.